Commissioner (Cyprus) - 11.17.001.009.077: Difference between revisions
(referred to ΓεΣΥ as GHS as it makes it easier for non mother tongue speakers;) |
(referred to the commissioner with an abbreviation;) |
||
Line 78: | Line 78: | ||
The Health Insurance Agency confirmed the access to the medical data of the data subject by the controller on 09.03.2021 without issuing a referral, claim for compensation for services or registering a visit involving the data subject. | The Health Insurance Agency confirmed the access to the medical data of the data subject by the controller on 09.03.2021 without issuing a referral, claim for compensation for services or registering a visit involving the data subject. | ||
On 28 | On 28 April 2021 the data subject filed a complaint with the Cypriot Data Protection Commissioner, DPC. | ||
On 19.07.2022, the controller provided relevant explanations about the incident to both the Health Insurance Agency and the | On 19.07.2022, the controller provided relevant explanations about the incident to both the Health Insurance Agency and the DPC's Office. She confirmed that she indeed did not know and had not examined the data subject and neither did her secretary have the data subject's details in her file. In order to access the data subject's medical records in the GHS computer system, it was necessary to enter the beneficiary's full name, date of birth and ID number, and therefore the controller claimed that she assumed that she had spoken to the data subject by telephone for a visit and thus gained access. Otherwise, she assumed that it was an accidental error in her attempt to access another patient's file. As a considerable amount of time had elapsed, she cannot recall anything specific about the incident. In her explanations, the controller insists that there was no processing of the data subject's personal data and that the data subject did not suffer any damage as a result of the incident. | ||
On 20.07.2022 the data subject replied to the controller's explanations. She claimed that she never contacted the controller by telephone nor did she give her personal data to the controller's secretary. As soon as she became aware of the breach, she sought the controller and contacted her secretary, leaving her full name and telephone number (not her date of birth or her identity) so that the controller could call her, but she was unable to contact the controller. | On 20.07.2022 the data subject replied to the controller's explanations. She claimed that she never contacted the controller by telephone nor did she give her personal data to the controller's secretary. As soon as she became aware of the breach, she sought the controller and contacted her secretary, leaving her full name and telephone number (not her date of birth or her identity) so that the controller could call her, but she was unable to contact the controller. | ||
Line 87: | Line 87: | ||
=== Holding === | === Holding === | ||
The Cypriot | The Cypriot DPC assessed the above facts, underlining the fact that, as is evident from both sides, the controller did not know the data subject nor had examined her. Furthermore, it is an important element that the doctor could not prove that she obtained the data subject's personal data in a lawful manner and that she was authorised to access the beneficiary portal. The DPC noted that the possession of the data subject's data, as well as access to the data subject's beneficiary record on the GHS, constituted acts of processing on the part of the controller. Factors such as the absence of malicious intent or the absence of harm do not affect the fact that there was indeed a breach of the data subject's data. Furthermore, the DPC held that the personal data required for access to the data subject's medical file did not suggest that this was an accidental occurrence. | ||
Taking the above into account, the | Taking the above into account, the DPC considered that there was a violation of Article 5(1)(a) of Regulation (EU) 2016/679, because the data subject's personal data were not processed lawfully and fairly in a transparent manner and pursuant to Article 58(2)(i) and Article 83 of the GDPR imposed an administrative fine of one thousand five hundred euros (EUR 1,500) on the controller. | ||
== Comment == | == Comment == |
Revision as of 16:59, 30 January 2024
Commissioner - 11.17.001.009.077 | |
---|---|
Authority: | Commissioner (Cyprus) |
Jurisdiction: | Cyprus |
Relevant Law: | Article 5(1)(a) GDPR Article 57(1)(f) GDPR Article 58(2)(i) GDPR Article 83 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 28.04.2021 |
Decided: | 07.12.2023 |
Published: | 07.12.2023 |
Fine: | 1500 EUR |
Parties: | Complainant Respondent |
National Case Number/Name: | 11.17.001.009.077 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Greek |
Original Source: | Office of the Commissioner for Personal Data Protection (in EL) |
Initial Contributor: | Evangelia Tsimpida |
The Cypriot Commissioner for Personal Data Protection, following a complaint, imposed a fine in the amount of €1,500 on a doctor for breaching the principle of lawfulness, fairness and transparency provided for in Article 5(1)(a) GDPR.
English Summary
Facts
A data subject found out that on 09 March 2021 her personal data was accessed by a doctor, the controller, to the portal of the beneficiaries of the General Health System (GHS), without a referral and without her permission. The reason given for accessing the data subject's online GHS account was "The provider created a visit without a referral and had the beneficiary's consent to access his/her Medical Record". The data subject, upon discovering the access to her medical records by the controller, attempted to contact her without success.
The Health Insurance Agency confirmed the access to the medical data of the data subject by the controller on 09.03.2021 without issuing a referral, claim for compensation for services or registering a visit involving the data subject.
On 28 April 2021 the data subject filed a complaint with the Cypriot Data Protection Commissioner, DPC.
On 19.07.2022, the controller provided relevant explanations about the incident to both the Health Insurance Agency and the DPC's Office. She confirmed that she indeed did not know and had not examined the data subject and neither did her secretary have the data subject's details in her file. In order to access the data subject's medical records in the GHS computer system, it was necessary to enter the beneficiary's full name, date of birth and ID number, and therefore the controller claimed that she assumed that she had spoken to the data subject by telephone for a visit and thus gained access. Otherwise, she assumed that it was an accidental error in her attempt to access another patient's file. As a considerable amount of time had elapsed, she cannot recall anything specific about the incident. In her explanations, the controller insists that there was no processing of the data subject's personal data and that the data subject did not suffer any damage as a result of the incident.
On 20.07.2022 the data subject replied to the controller's explanations. She claimed that she never contacted the controller by telephone nor did she give her personal data to the controller's secretary. As soon as she became aware of the breach, she sought the controller and contacted her secretary, leaving her full name and telephone number (not her date of birth or her identity) so that the controller could call her, but she was unable to contact the controller.
The controller did not add anything else, but persisted in her position.
Holding
The Cypriot DPC assessed the above facts, underlining the fact that, as is evident from both sides, the controller did not know the data subject nor had examined her. Furthermore, it is an important element that the doctor could not prove that she obtained the data subject's personal data in a lawful manner and that she was authorised to access the beneficiary portal. The DPC noted that the possession of the data subject's data, as well as access to the data subject's beneficiary record on the GHS, constituted acts of processing on the part of the controller. Factors such as the absence of malicious intent or the absence of harm do not affect the fact that there was indeed a breach of the data subject's data. Furthermore, the DPC held that the personal data required for access to the data subject's medical file did not suggest that this was an accidental occurrence.
Taking the above into account, the DPC considered that there was a violation of Article 5(1)(a) of Regulation (EU) 2016/679, because the data subject's personal data were not processed lawfully and fairly in a transparent manner and pursuant to Article 58(2)(i) and Article 83 of the GDPR imposed an administrative fine of one thousand five hundred euros (EUR 1,500) on the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
I reviewed a complaint submitted to my Office regarding access to the Complainant's General Health System (GHS) account by a medical practitioner. Specifically, as the Complainant mentioned, she found access to her personal data from the doctor, on the GeSY beneficiary portal, without knowing the doctor, without a referral and without her permission. During the investigation, both the Complainant and the doctor reported to my Office that each did not know the other and that the doctor did not examine the complainant. I evaluated the doctor's positions regarding the possible ways of obtaining the Complainant's data, which were necessary to access the Complainant's beneficiary portal at the NHS. However, the doctor was unable to prove that she legally obtained the Complainant's personal data and that she was authorized to gain access to the beneficiary portal. Therefore, the Complainant's personal data were not processed lawfully and legitimately in a transparent manner. That is, the principle of "legality, objectivity and transparency", as provided for in Article 5(1)(a) of the Regulation, was not observed. For the violation of this article, I imposed on the doctor an administrative fine of one thousand five hundred euros (€1500).